The popular Build-A-Bear Workshop removed links to Twitter and Pinterest from its home page, following an investigation by a unit of the Better Business Bureau. The company also revised an apparent glitch that allowed children under 13 to circumvent a feature aimed at preventing them from entering personal information without their parents' consent.
The moves were announced this week by the Better Business Bureau's Children's Advertising Review Unit, which said it investigated Build-A-Bear to determine whether the company complied with CARU's self-regulatory guidelines, as well as the federal Children's Online Privacy Protection Act.
That law broadly prohibits Web site operators from collecting personal information from children younger than 13 without parental consent.
BuildABear.com, which sells teddy bears and other stuffed animals, requires users to enter their names, emails and other personal information in order to create an account. The site also asks users to enter a date of birth -- and if they are under 13, to provide a parent's email address. But Build-A-Bear did not store that data in a session cookie when CARU tested the site. That lack of a persistent cookie meant that children who were denied access could simply hit the back button on their browser and try again with a different birthdate.
Build-A-Bear said that a recent update to its site inadvertently resulted in a glitch that eliminated session cookies. Internet security consultant Parry Aftab, who advises Build-A-Bear, says there was only a one-week period in 2012 when the site's session cookies weren't working. She adds that BuildABear doesn't believe it collected any information from children under 13 during that period.
CARU also found it problematic that BuildABear.com had links to Twitter and Pinterest on its home page. “Neither Pinterest nor Twitter does age-screening and children are able to input personally identifiable information,” CARU said in its decision.
The company removed those links in response to the investigation, but still offers links to YouTube and Facebook. The FTC's COPPA regulations don't appear to ban links to other sites, but CARU's self-regulatory principles provide that child-directed sites shouldn't link to sites that don't comply with its guidelines. Those guidelines say sites should use age-screening mechanisms if there is a “reasonable expectation” that children will visit.